07-12-2005 04:05 PM - edited 02-21-2020 12:16 AM
Can I have a /28 and a /24 both allocated into one PIX 515e? My current configuration is setup for the /28 and I would like to keep that address space just as it is and then add the /24 if possbile.
Thanks!
Solved! Go to Solution.
08-04-2005 11:37 PM
Hello,
I think the solution is more simple than you think. You can use your new address-range with nat, global and statics without actually configure it on the physical interface. That way you can use your new address-space. Your ISP have to route your new network to your PIX outside interface. That is all.
Best Regards
Robert Maras
07-18-2005 10:57 AM
Yes, you can add /24 along.
07-18-2005 01:30 PM
Can you please list the commands to this post that one would use to add a second subnet to their PIX? I have searched and searched and have not been able to come up with that information.
Thanks!
07-18-2005 02:10 PM
"Can I have a /28 and a /24 both allocated into one PIX 515e?", do u mean a secondary ip on the same interface?
if yes, then i believe it's not feasible.
07-18-2005 03:04 PM
"do u mean a secondary ip on the same interface?"
I currently have a /28 setup in my PIX.
The outside interface is xx.185.xxx.xxx
The inside interface is 192.168.1.1
I am using NAT to translate my public addresses from the outside to the inside.
I have run out of addresses in my /28 so I requested a /24 and have just recieved them from my provider. Being that I have been using this /28 for some time and I am in full production I do not want to get rid of those addresses and they are not somewhere in the range of addresses in my /24.
What I am hoping to be able to do is to add this second subnet to my PIX and translate both subnets to my inside addresses.
Can this be done?
Thanks for all of your help!
07-18-2005 04:57 PM
assuming the pix interface is not capable for a secondary ip.
an alternative would be to implement a router before or after the pix performing NAT
another alternative is to use dynamic dns such as dyndns.org
08-04-2005 11:37 PM
Hello,
I think the solution is more simple than you think. You can use your new address-range with nat, global and statics without actually configure it on the physical interface. That way you can use your new address-space. Your ISP have to route your new network to your PIX outside interface. That is all.
Best Regards
Robert Maras
07-19-2005 01:18 AM
Hi,
you can configure PIX interface as trunk. Now you can assign multible address for the same interface like your conventional 802.1q trunking. This feature supported only above version 6.3. You can ref. below faq.
VMSundaram
07-19-2005 01:01 PM
I can not login with my username and password to that link.
07-19-2005 03:46 PM
thanks for the info meenakshi!
according to the doco:
Step 1 Assign the interface speed to a physical interface by entering the following command:
interface ethernet0 auto
Step 2 Assign VLAN2 to the physical interface (ethernet0) by entering the following command:
interface ethernet0 vlan2 physical
By assigning a VLAN to the physical interface, you ensure that all frames forwarded on the interface will be tagged. VLAN 1 is not used because that is the default native VLAN for Cisco switches. Without the physical parameter, the default for the interface command is to create a logical interface.
Step 3 Create a new logical interface (VLAN3) and tie it to the physical interface (ethernet0) by entering the following command:
interface ethernet0 vlan3 logical
This will allow the PIX Firewall to send and receive VLAN-tagged packets with a VLAN identifier equal to 3 on the physical interface, ethernet0.
Step 4 Configure the logical and physical interfaces by entering the following commands:
nameif ethernet0 outside security0
nameif vlan3 dmz security50
ipaddress outside 192.168.101.1 255.255.255.0
ipaddress dmz 192.168.103.1 255.255.255.0
07-19-2005 04:42 PM
tested the code after posting it.
it seems like the feature works with vlan only, that means it cannot be used as a stand-alone logical interface.
thus it doesn't help with the posted scenario, unless you setup a vlan outside the pix which may not be feasible
08-04-2005 11:25 PM
Hi VMSundaram,
But how can insert a failover pix in this senario using only a single L2 switch with 802.1q trunk to primary pix and failover pix?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide